RESOLVED.CONF(5) | resolved.conf | RESOLVED.CONF(5) |
NAME¶
resolved.conf, resolved.conf.d - 网络名字解析服务配置文件SYNOPSIS¶
/etc/systemd/resolved.conf/etc/systemd/resolved.conf.d/*.conf
/run/systemd/resolved.conf.d/*.conf
/usr/lib/systemd/resolved.conf.d/*.conf
描述¶
这些配置文件控制着本地DNS与LLMNR名字解析配置目录及其优先级¶
默认设置是在编译期间确定的, 所以仅在确实需要修改默认设置的情况下, 才需要使用配置文件。位于 /etc/systemd/ 目录中的初始配置文件, 仅包含了展示选项默认值的注释, 目的在于方便系统管理员查看和直接修改。如果软件包想要自定义某些默认设置, 那么必须将自定义的配置文件安装到 /usr/lib/systemd/*.conf.d/ 目录中。 /etc/ 目录仅供系统管理员使用。 系统管理员可以利用下面的逻辑来覆盖默认设置: 主配置文件最先被读取, 优先级也最低。 所有 *.conf.d/ 中的配置文件 都会覆盖主配置文件中的设置。 所有 *.conf.d/ 中的配置文件(无论位于哪个目录中), 统一按照文件名的字典顺序处理。 如果在多个配置文件中设置了同一个选项, 那么仅以文件名最靠后(字典顺序)的那一个为准。 为了便于排序, 建议给所有 *.conf.d/ 中的配置文件 都加上两位十进制数字的文件名前缀。
如果系统管理员想要屏蔽 /usr/lib/ 目录中的某个配置文件, 那么最佳做法是在 /etc/ 目录中 创建一个指向 /dev/null 的同名符号链接, 即可彻底屏蔽 /usr/lib/ 目录中的同名文件。
选项¶
下列选项都位于 "[Resolve]" 小节:DNS=
FallbackDNS=
Domains=
如果指定的域名带有 "~" 前缀, 那么表示它不是一个搜索域,而是一个"路由专用域名",也就是仅用于将指定的域名查询请求 优先路由到上文 DNS= 设置的全局DNS服务器上去。 注意,如果不存在针对特定连接的DNS服务器,那么 "~" 语法没有任何实际效果。 特殊值 "~." 表示将所有DNS查询请求 优先路由到上文 DNS= 设置的全局DNS服务器上去 (前面的波浪号表示这是一个"路由专用域名",后面的点表示DNS根域名(也就是所有域名的后缀))。
LLMNR=
DNSSEC=
注意,因为 DNSSEC 需要额外查询更多的DNS数据, 所以,开启此选项会减慢DNS查询速度。
DNSSEC requires knowledge of "trust anchors" to prove data integrity. The trust anchor for the Internet root domain is built into the resolver, additional trust anchors may be defined with dnssec-trust-anchors.d(5). Trust anchors may change at regular intervals, and old trust anchors may be revoked. In such a case DNSSEC validation is not possible until new trust anchors are configured locally or the resolver software package is updated with the new root trust anchor. In effect, when the built-in trust anchor is revoked and DNSSEC= is yes, all further lookups will fail, as it cannot be proved anymore whether lookups are correctly signed, or validly unsigned. If DNSSEC= is set to "allow-downgrade" the resolver will automatically turn off DNSSEC validation in such a case.
Client programs looking up DNS data will be informed whether lookups could be verified using DNSSEC, or whether the returned data could not be verified (either because the data was found unsigned in the DNS, or the DNS server did not support DNSSEC or no appropriate trust anchors were known). In the latter case it is assumed that client programs employ a secondary scheme to validate the returned DNS data, should this be required.
It is recommended to set DNSSEC= to yes on systems where it is known that the DNS server supports DNSSEC correctly, and where software or trust anchor updates happen regularly. On other systems it is recommended to set DNSSEC= to "allow-downgrade".
In addition to this global DNSSEC setting systemd-networkd.service(8) also maintains per-link DNSSEC settings. For system DNS servers (see above), only the global DNSSEC setting is in effect. For per-link DNS servers the per-link setting is in effect, unless it is unset in which case the global setting is used instead.
Site-private DNS zones generally conflict with DNSSEC operation, unless a negative (if the private zone is not signed) or positive (if the private zone is signed) trust anchor is configured for them. If "allow-downgrade" mode is selected, it is attempted to detect site-private DNS zones using top-level domains (TLDs) that are not known by the DNS root server. This logic does not work in all private zone setups.
默认值是 no
Cache=
注意,对于IP地址为 127.0.0.1 或 ::1 之类的本机DNS来说,DNS缓存总是关闭的。 这样做是为了避免不必要的多次缓存。
参见¶
systemd(1), systemd-resolved.service(8), systemd-networkd.service(8), dnssec-trust-anchors.d(5), resolv.conf(4)NOTES¶
- 1.
- RFC 4794
跋¶
本页面中文版由中文 man 手册页计划提供。翻译人员:金步国
金步国作品集:http://www.jinbuguo.com
中文 man
手册页计划:https://github.com/man-pages-zh/manpages-zh
systemd 231 |